Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 955981

Summary: glsa 202505-11 is too strict on nodejs version
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: cmwatts, graaff, hydrapolic, sam, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=936204
Whiteboard:
Package list:
Runtime testing required: ---

Description Tomáš Mózes 2025-05-15 07:13:13 UTC 
According to https://nodejs.org/en/about/previous-releases, v20.x is supported until next year. How about we stabilize 20.19.1 and adjust the glsa?

Thanks
Comment 1 Hans de Graaff gentoo-dev Security 2025-05-15 09:09:31 UTC 
Unfortunately this is not possible since all nodejs versions have the same slot, and the GLSA system does not support subslots or compound version identifiers (e.g. ( =nodejs-20* >nodejs-20.1 )) to make this work better. :-(

Perhaps sam or ajak know about a workaround for this but I don't think we can do better with the current system.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-17 08:02:31 UTC 
We can try do as we did before in https://security.gentoo.org/glsa/202405-29 but I don't think that will really help glsa-check. It may help some external consumers of tools..
Comment 3 Larry the Git Cow gentoo-dev 2025-05-17 09:19:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b60128583dc9a401386f97b6f98c90fc96838e6

commit 3b60128583dc9a401386f97b6f98c90fc96838e6
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2025-05-17 09:18:17 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-05-17 09:18:17 +0000

    Add version information for older slots
    
    This is a cosmetic change only.
    
    Bug: https://bugs.gentoo.org/955981
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202505-11.xml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
Comment 4 Hans de Graaff gentoo-dev Security 2025-05-17 09:22:40 UTC 
(In reply to Sam James from comment #2)
> We can try do as we did before in https://security.gentoo.org/glsa/202405-29
> but I don't think that will really help glsa-check. It may help some
> external consumers of tools..

I've added the information for the older slots, but this really is a cosmetic change only. Any tool that falls for this in reporting vulnerable versions should be fixed :-/

I've reopened the bug as well, in case people are interested in tackling this more structurally.

One thing I've noticed is that our GLSA XML format is not versioned. Not sure what a best practice is for XML but this might be a good first step if we want to change how versions are represented.